From b9495cc50aa964c54eb2373a5743668ef154ca48 Mon Sep 17 00:00:00 2001
From: Josh Hart <josharj@amazon.com>
Date: Tue, 21 Nov 2023 09:08:43 +0000
Subject: [PATCH] add comment explaining workaround for 3.4.1.1 check

---
 .../bottlerocket-cis-validating-image/validating-script.sh   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh
index 823b481..ddf1367 100644
--- a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh
+++ b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh
@@ -271,6 +271,11 @@ ForwardChain=$(iptables -L | grep "Chain FORWARD" | awk '{print $4}')
 OutputChain=$(iptables -L | grep "Chain OUTPUT" | awk '{print $4}' )
 #echo $OutputChain
 
+# please note, For Kubernetes Bottlerocket variants, the iptables -P FORWARD DROP command will be unconditionally overwritten when the kubelet starts.
+# https://github.com/bottlerocket-os/bottlerocket/blob/52ea5b5c8d788f3e9d7a76e329cd2c766150cf59/packages/kubernetes-1.24/kubelet.service#L13
+# This is because Kubernetes relies on iptables rules to forward connections to any node in the cluster to the correct set of nodes where a nodePort service is running
+# Hence the below condition checks for ACCEPT instead of DROP for the ForwardChain
+
 if [[ $inputChain == "DROP)" ]] && [[ $ForwardChain == "ACCEPT)" ]] && [[ $OutputChain == "DROP)" ]];
 then
     echo "[PASS] $RECOMMENDATION"